Registry Cleaners: Digital Snake Oil

A word on registry cleaners.

One of the most common complaints we see on our forums, and from our users, concerns a particular category of program called “Registry Optimizers” or “Registry Cleaners” or “Registry Defragmenters”. For this post, we will just refer to them as registry cleaners.

Who makes this software?

There are many software companies all over the world who make registry cleaners. Not all of them are included in our PUP classification. We will discuss why some get added to our PUP list later in this blog post, but for now, let’s look at what a registry cleaner is exactly in greater depth.

What is the registry?

Think of it as a place where information about the programs you have installed on your computer is stored. Things like what options are enabled for programs, how they are setup, which user account can use them, and many other settings and preferences.

Where is the registry stored on my computer?

The registry is located in multiple places on your computer, and some of these places vary, depending on the version of Windows you are running. They are often referred to as registry hives.

If you really want to know where to find them, a quick Google search will tell you. You will notice that many of these searches give results that include the caveat that you shouldn’t touch the registry with an infinitely long pole.

Bad things happen when you make uninformed changes to the registry.

When were registries added to Windows?

Their introduction goes all the way back to Windows 3.1, so yeah… A long time ago.

Why would you need to clean it?

This is where we get to the heart of the problem. Many users swear by the performance differences they have experienced before and after running these types of programs.

We believe that this is mostly due to a computer version of the placebo effect. You watch the progress bar. The little lego blocks get stacked neatly. You get a report showing everything that is repaired… It’s all very satisfying.

All this makes what we are about to say very problematic. It might even make some readers angry…

Registry Cleaners are the digital equivalent of snake oil!

Snake oil is an expression that has come to refer any product with questionable or unverifiable quality or benefit.

Don’t believe us?

Microsoft does not support the use of registry cleaners. Some programs available for free on the internet might contain spyware, adware, or viruses. If you decide to install a registry cleaning utility, be sure to research the product and only download and install programs from publishers that you trust. For more information, see when to trust a software publisher.

Microsoft is not responsible for issues caused by using a registry cleaning utility. We strongly recommend that you only change values in the registry that you understand or have been instructed to change by a source you trust, and that you back up the registry before making any changes.
Microsoft cannot guarantee that problems resulting from the use of a registry cleaning utility can be solved. Issues caused by these utilities may not be repairable and lost data may not be recoverable.

Before you modify the registry, make sure you back it up, create a restore point, and make sure that you understand how to restore the registry if a problem occurs.

That’s a pretty damning statement.

This slideshow requires JavaScript.

Does that mean that we will add all these programs to our PUP definitions? No, as we mentioned earlier, not all registry cleaners meet our PUP definition criteria.

We can tell you these programs are snake oil, but we’re not going to try and force you not to use them. We don’t condone forcing stuff onto people, but forcing programs onto users is exactly how a registry cleaner would wind up flagged as a PUP by Malwarebytes Anti-Malware…

Let’s look at an example of how this happens.

Step 1

A software manufacturer partners with another software company that makes “bundlers” or “wrappers” to distribute their registry cleaner program. Let’s stick with the name bundlers for this example.

Bundlers put a bunch of programs together and offer the user these additional programs during the initial installation process. Sadly, many software companies do this, even some pretty big ones. We are not saying that all bundled software is malicious, only that this practice is rife for abuse.

(Not all PUP’s use a bundler, but the ones that do tend to misbehave…)

Remember, all the bundler wants to achieve is the maximum number of installations. It’s their business model. It’s how they get paid. It is also therefore not surprising that they would bend the rules as far as they can in order to achieve this.

(A side effect of surrendering the distribution of your program to a third-party is that you can then insulate yourself from their bad behavior… Right there we have an ethical quandary.)

Step 2

The bundler pre-populates the installation check box for several programs, including their partnered registry cleaner. They then seed the Internet with their bundled installer.

This can be through an affiliate marketing scheme to distribute the bundle, aggressive online adverts, or any number of other ways.

Step 3

A user, either seeking one of the other programs that are part of the bundler or deceived into installing it through “dark patterns”, double negatives, and confusing opt-out techniques winds up with the registry cleaner installed. Some of these software manufacturers will go so far as to have two versions of their programs.

An official one, available from their website, that reports a low error count, has opt-in partner program installations and looks innocuous.

An affiliate version, that has opt-out partner programs, a silent install, and an aggressive detection count. That version can only be found on the web during an active affiliate campaign. This is done so the software vendor can claim innocence and blame a rogue affiliate for the aggressive nature of the program.

Step 4

The registry cleaner runs as part of it’s installation, and/or configures itself to run at start up, perform a scan, and generate a report showing a large number errors found.

(Hint: Registry cleaners will ALWAYS find errors, even on a freshly installed operating system! The trick is that these software manufacturers are classifying events recorded in the registry as critical errors that require “fixing”.)

This program now runs at every start up, generating the “push for sale” popup, with the results of the scan and the numerous “errors”.

Sometimes the UI is designed to make the window difficult to close.

Sometimes the registry cleaner periodically displays the “push for sale” pop up AGAIN in the same session, despite the user having closed it and declined to purchase the software. They may use bubble notifications in the taskbar.

These types of behaviors are how we rate the aggressiveness of the registry optimizers in determining if a PUP classification is warranted.

Step 5

The user clicks on the fix button of the report, and is funneled to a purchase page for the registry cleaner. The user buys the software, alarmed at the numerous registry “errors” reported.

The bundler, affiliates, and the software manufacturer split the profits. The user has paid for a program that is at best useless, and at worst could damage the registry and make the computer unusable.

These are the PUP criteria that merit such a program be flagged as a Potentially Unwanted Program:

The changes to our PUP classification took place as a result of listening to our user base.

We have seen the large number of complaints on forums about these programs. We have seen the deceptive methods they use to sneak onto computers in an effort to extract payment for non-existent errors detected by a program of little or no value.

We have revised our Potentially Unwanted Program stance in the past, and now have revised it again to include Registry Cleaners that exhibit these aggressive traits.

Presently our default behavior is to quarantine PUP’s. Unlike the programs that we classify as such, when using Malwarebytes Anti-Malware you decide what to keep or remove, and our free version provides you with full removal capabilities, should you chose the latter.

By pushing the limits of marketing techniques, by playing the numbers games on unwanted installations, by claiming innocence and blaming overzealous affiliates for repeated bad behavior, the purveyors of this digital snake oil will earn a well deserved potentially unwanted program classification.

Our vision statement at Malwarebytes is that “everyone has a fundamental right to a malware free existence,” and we mean to uphold it.

July 17, 2018 - The last quarter is likely the last hurrah of the campaigns and attacks we've been seeing over the last 6 months. What comes next may completely change the game. Check out our latest Cybercrime Tactics & Techniques report to find out more about what you may encounter next quarter.

July 11, 2018 - Some of you have reached out to us concerning Malwarebytes blocking of certain Ad blocking extensions, or an influx in web blocking notifications. First things first, this is not a False Positive.

June 25, 2018 - Automatic filters on our blog sometimes catch benign comments by accident. However, they also protect users from spammers, scammers, and malicious links. Read on to learn about our comment policy: what we block and why.